Using DNS-over-TLS Resolvers on Linux

This tutorial will guide you through the steps to set up DNS-over-TLS (DoT) resolvers on a Linux system. You may have to adapt some steps slightly depending on the distribution you use.

Step 1: Install Stubby

Stubby is a popular DNS-over-TLS client that you can use to configure DoT resolvers. The installation process varies depending on your Linux distribution:

  • Debian/Ubuntu:

    sudo apt install stubby

  • CentOS/RHEL:

    sudo yum install epel-release
sudo yum install stubby

  • Arch Linux:

    sudo pacman -S stubby

  • Fedora:

    sudo dnf install stubby

  • OpenSUSE/SUSE Linux:

    sudo zypper in stubby

Step 2: Configure Stubby

After installing Stubby, you need to configure it to use the DNS-over-TLS resolvers from dnscry.pt. Open the configuration file with your favorite text editor:

sudo vim /etc/stubby/stubby.yml

Edit the file to specify the DoT resolvers you want to use. You can find them on our Public Resolvers page. Below is an example configuration:

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
round_robin_upstreams: 1
upstream_recursive_servers:
  - address_data: 2a09:b280:fe01:35::a
    tls_auth_name: "dnscry.pt"
  - address_data: 2a03:94e0:271f::5b1
    tls_auth_name: "dnscry.pt"
  - address_data: 198.140.141.46
    tls_auth_name: "dnscry.pt"

Step 3: Start Stubby

To start Stubby and ensure it starts on boot, run:

sudo systemctl enable --now stubby

Verify that it's running:

sudo systemctl status stubby

You should see something like this:

* stubby.service - DNS Privacy Stub Resolver
   Loaded: loaded (/lib/systemd/system/stubby.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2025-01-24 21:00:00 CET; 1min 46s ago
     Docs: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
 Main PID: 12345 (stubby)
    Tasks: 5 (limit: 4915)
   Memory: 2.3M
   CGroup: /system.slice/stubby.service
           `-12345 /usr/bin/stubby -C /etc/stubby/stubby.yml

Step 4: Configure Your Network

Finally, configure the devices on your network to use your Stubby installation as the DNS resolver. On Linux, this can be done by modifying /etc/resolv.conf, but these settings may be overwritten when you reconnect to your network and get other resolvers via DHCP. Consult your OS documentation for the proper way to set DNS resolvers permanently.